From the Singapore Personal Data Protection Commission:

A financial penalty of $30,000 was imposed on Singapore Taekwondo Federation for failing to make reasonable security arrangements to prevent the unauthorised disclosure of minors’ NRIC numbers on its website. Directions were also issued to the organisation to appoint a data protection officer and to put in place data protection policy.

Thing One: Societies not spared#

The Singapore Taekwondo Federation is not the first society to come afoul of the Personal Data Protection Act in Singapore, but the $30,000 penalty is certainly the highest I can recall. As noted by the commission, the society is ‘managed mostly by a team of volunteers’ and any penalty would be felt in the organisation. While there may be an impression that the Personal Data Protection Commission may be more lenient towards non-profit organisations (giving directions and warnings instead of substantial penalty), this certainly dispels it.

Lack of basic compliance such as appointing a data protection officer or having a data protection policy certainly aggravated the penalty. Certainly putting these measures in place will help you respond to the PDPC better and may make the difference between a warning and a penalty in the event of a data breach.

The most obvious lesson is that even if you run a non-profit that exists for altruistic reasons only, you have to get a data protection officer. Maybe another volunteer? (Wink wink)

Thing Two: A Dumb Computer Thing downs an Organisation again#

This is that one decision which shows you that not learning how to Excel may cost you $30,000. The data breach was caused by trying to minimise a column instead of hiding it, leaving personal data accessible to anyone. This continues the predominant trend of poor use of computers leading organisations to run afoul of the Personal Data Protection Act. The Personal Data Protection Commission recommended in this decision that “the Organisation ought to have ensured that its staff in charge of creating, processing and converting the Excel spreadsheets were given proper and regular training to equip them with the knowledge to utilise the correct function to convert the Excel spreadsheets into PDF documents that were routinely published on the Organisation’s website.”

I am not really sure that this is the right lesson to take away from this episode. As explained by the Organisation, the purpose of the NRIC number is because “participating schools would typically request for the name lists of the medalists and the results of the Championships, which would have to contain the students’ NRIC numbers, so as to allow the schools to verify and present colour awards to their students” Given that other details such as the name and the school are also available, it would be very straightforward for a school to identify a student with just that information and it is arguable that NRICs are necessary for these purposes.

Rather than trying to be clever with your computers, consider designing your system so that you will not need to be liable in the first place.

Thing Three: Mind the Kids#

While there are decisions highlighting that the Personal Data Protection Commission considers that NRICs are of special concern (See Re JP Pepperdine Group Pte Ltd [2017] SGPDPC 2 ), I believe this is the first decisions that highlights that personal data concerning children are also afforded “greater sensitivity” and is an aggravating factor in meting out penalties. (There is mention of minors in Spring College International Pte. Ltd. [2018] SGPDPC 15, but I could not really see how its discussion had an impact on the outcome of the determination)

While not enshrined in statute like the GDPR or US Children’s Online Privacy Protection Act, this is certainly a welcome step given that very little attention has been paid to this area so far.